Quantum blockchain based on asymmetric quantum encryption and a stake vote consensus algorithm

As emerging next-generation information technologies, blockchains have unique advantages in information transparency and transaction security. They have attracted great attentions in social and financial fields. However, the rapid development of quantum computation and the impending realization of quantum supremacy have had significant impacts on the advantages of traditional blockchain based on traditional cryptography. Here, we propose a blockchain algorithm based on asymmetric quantum encryption and a stake vote consensus algorithm. The algorithm combines a consensus algorithm based on the delegated proof of stake with node behaviour and Borda count (DPoSB) and quantum digital signature technology based on quantum state computational distinguishability with a fully flipped permutation (\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$${\text{QSC}}{\text{D}}_{\text{ff}}$$\end{document}QSCDff) problem. DPoSB is used to generate blocks by voting, while the quantum signature applies quantum one-way functions to guarantee the security of transactions. The analysis shows that this combination offers better protection than other existing quantum-resistant blockchains. The combination can effectively resist the threat of quantum computation on blockchain technology and provide a new platform to ensure the security of blockchain.

Quantum blockchain based on asymmetric quantum encryption and a stake vote consensus algorithm Wusheng Wang, Yang Yu & Lingjie Du * As emerging next-generation information technologies, blockchains have unique advantages in information transparency and transaction security. They have attracted great attentions in social and financial fields. However, the rapid development of quantum computation and the impending realization of quantum supremacy have had significant impacts on the advantages of traditional blockchain based on traditional cryptography. Here, we propose a blockchain algorithm based on asymmetric quantum encryption and a stake vote consensus algorithm. The algorithm combines a consensus algorithm based on the delegated proof of stake with node behaviour and Borda count (DPoSB) and quantum digital signature technology based on quantum state computational distinguishability with a fully flipped permutation ( QSCD ff ) problem. DPoSB is used to generate blocks by voting, while the quantum signature applies quantum one-way functions to guarantee the security of transactions. The analysis shows that this combination offers better protection than other existing quantum-resistant blockchains. The combination can effectively resist the threat of quantum computation on blockchain technology and provide a new platform to ensure the security of blockchain.
The concept 1 of blockchain technology was first introduced by Satoshi Nakamoto in 2008. Blockchain is a decentralized block of data linked in a chronological chain network to provide a distributed shared ledger and database. For example, in the first blockchain system, i.e. Bitcoin, each block contains two parts, namely, the block header and block body. The block header contains the hash value of the current block, the hash value of the previous block, the timestamp, and information about the Merkel tree; the block body contains the transaction information and the corresponding digital signature. One advantage of the blockchain is the usage of a distributed network, which provides the transparency and security of transaction information. After more than ten years of rapid development, this technology is not limited to Bitcoin and other cryptocurrencies but also attracts intense attention from multidisciplinary areas, such as finance, energy, medical care, and government affairs.
At the core of blockchain technologies, the most important aspects are consensus algorithms and digital signatures. Consensus algorithms can be used to generate blocks, while digital signatures can secure transaction information. For example, the consensus algorithm used in the Bitcoin network is proof of work (PoW) 1 , which allows every miner to compete through computing power based on a hash algorithm. The miner with higher hash power tends to have larger probabilities to find the correct hash solution, and the first miner that finds the correct hash value will generate a new block. In addition, there are other consensus algorithms such as proof of stack (PoS) 2 , delegated proof of stack (DPoS) 3 , and delegated proof of stake with node's behaviour and Borda count(DPoSB) 4 . They do not rely on computing power and thus could lower the power consumption. There is also a Byzantine algorithm 5 that achieves consensus in communication in the presence of malicious nodes.
Digital signatures are an essential application of public-key cryptography. Encryption methods commonly used in the digital signatures of a classical blockchain are Rivest-Shamir-Adleman (RSA) 6 and elliptic curve cryptography (ECC) 7 . These well-developed encryption algorithms are too complex for classical computers to crack, ensuring the security of the digital signatures. However, Shor and others have found that a quantum algorithm can effectively solve the integer decomposition problem and the discrete logarithmic problem 8 , which are the critical parts of the encryption methods. In this case, the security of blockchain technology based on the digital signatures is under the threat of quantum computation.
Several physical systems have been developed to realize quantum computation. Quantum supremacy was demonstrated on a programmable superconducting quantum processor with 53 qubits by Google 9 . Pogorelov et al. 10 performed 50-qubit ion trap quantum computing. Moreover, Zhong et al. 11 demonstrated a 76-qubit quantum computer with photons for boson sampling and a programmable quantum nanophotonic chip with many photons 12 .
Therefore, it has become urgent to develop new methods to protect against the threat of quantum computing. One effective approach is to develop quantum cryptography techniques based on the unique nature of quantum physics. For example, the quantum signature technology based on quantum state computational distinguishability with fully flipped permutations ( QSCD ff ) problem, utilizing the complexity of QSCD ff problem for quantum computation, can guarantee the security of the signature process. In addition, there are also quantum key distribution (QKD) techniques used in quantum information, such as the most famous BB84 protocol 13 . These techniques help to improve security in communication processes even in the presence of quantum computation.
In this case, these algorithms can be involved in blockchain technologies, which further improve system securities. Several attempts have been made. For example, quantum key distribution (QKD) techniques, such as the most famous BB84 protocol 13 , used in quantum information have been applied to blockchains 14 ; quantum entanglement in time has been used to produce blocks 15 , which is combined with quantum signature algorithms 16 . However, quantum signatures are not used in the QKD blockchain algorithm; a blockchain generated by the use of entanglement in time cannot trace back the transaction information, and thus the improvement in the overall security of the blockchain is poor.
To guarantee blockchain network security under quantum supremacy, we propose a quantum blockchain method that combines the DPoSB consensus algorithm 4 and quantum signatures established with quantum signature technology based on quantum state computational distinguishability with a fully flipped permutation ( QSCD ff ) problem 17 . The former is developed from DPoS, which keeps the voting system and considers the influence of malicious behaviours in votes to improve security when malicious nodes are in a blockchain system. A quantum signature method using a quantum asymmetric cryptography approach is a signature method designed based on the complexity of the QSCD ff problem for quantum computation to guarantee the security of the signature process. Here we combine them together. The blockchain generates blocks by DPoSB and signs transactions by a quantum one-way function 18 based on the QSCD ff problem. Mining here is not necessary to make great savings on computing resources, which greatly saves computing resources and increases the speed of block generation. Different from other quantum signature methods 14,15,16 , this method is not constrained 19,20 by probabilities and does not require a large number of one-time pads, which thus saves substantial communication overheads. Discussions about security models and quantum information-theoretical security are introduced in the security analysis. It can be found that our blockchain is secure even in the malicious adversary model. Our results show that this signature method in quantum blockchain is more secure than other quantum signatures. In this paper, the data structure of blockchain network is introduced in "Data structure of the blockchain " and our quantum blockchain section algorithm is analyzed in "Quantum blockchain algorithm" section. Then, the security of the blockchain algorithm is analyzed in "Security analysis of the blockchain" section, and the blockchain algorithm is compared with other existing quantum blockchains in "Comparison with other quantum blockchain signature methods" section. The conclusion is given at the end.

Data structure of the blockchain
A block acting as a unit in our blockchain system is constructed by a block header and a block body, as shown in Fig. 1. The information in the block header contains the address of the current block, the address of the previous block and the timestamp. The block body contains the transaction information that has passed through the quantum signature verification process. Due to the vital point of DPoSB, blockchain nodes do not need to participate in mining; namely, there is no computing force competition; thus, the hash value in the block is not necessary and can be replaced with the explicit address. We can begin from the block in the end to find the desired information according to the block addresses. Figure 1. The data structure of the quantum blockchain. The block header contains the address of the current block, the address of the previous block and the timestamp. The block body contains the transaction that has passed through the quantum signature verification process. The arrows between two blocks indicate that we can find one block according to its next block.

Quantum blockchain algorithm
In the blockchain, the signer generates the transaction and then uses a private key to sign, and the receiver authenticates the transaction by using the signer's public key to ensure transaction security in the aspect of cryptography. First, our quantum blockchain network contains N nodes, and n ( N>2n) witness nodes are elected to generate blocks in turn by DPoSB 13 . Then the nodes sign transactions through a quantum one-way function based on the QSCD ff problem. The witness nodes verify the transactions signed by the nodes and package the transactions into blockchain network if it passes through the verification process.
Blocks created by DPoSB. One key characteristic of DPoSB is voting, which is developed from DPoS. By the application of voting, the computing source originally used for mining can be largely saved. In voting, the n nodes with the highest votes are elected as the witness nodes responsible to generate blocks in turn. Let us assume that there are N nodes in a blockchain system. First, 2n ( N>2n) candidate nodes are elected by voting, and then n witness nodes among the candidate nodes are elected. However, sometimes there are some malicious nodes appearing in the system, which hinder the generation of blocks.
There are four types of malicious behaviours denoted by r . Each r is distributed by a weight Q r and the maximum threshold T r is the largest number of times the behaviour r is accepted in the system. Then DPoSB introduces malicious behaviour punishment calculation in the algorithm to address this issue and the mechanism of the Borda score to fairly select the witness nodes. We calculate the malicious behaviour weight ratio N Bw i for the i th node: where t ir represents the number of times the behaviour r is performed by the i th node makes.
The valid vote to define the i th node is: where j indicates the number of votes by j th node for i th node in round t of block generation (all participants produce a block once as the end of one round).
Then, we sort the valid votes for all nodes, and 2n nodes with the highest votes are elected as the candidate nodes.
The next step is to select n witness nodes from these candidate nodes. We construct the preference matrix: Then we have the k th node's preference value for the i th candidate node: r k i = N j=1 r k ij and obtain the Borda score matrix: We calculate the cumulative Borda scores for each candidate node: r i = N k=1 r k i . The Borda scores are sorted for all candidate nodes, and the n candidate nodes with the highest scores are elected as the witness nodes.
The witness nodes can generate blocks in turn, as shown in Fig. 2.
Transaction signing and verification process. Then the nodes sign transactions through a quantum one-way function based on the quantum state computational distinguishability with fully flipped permutations QSCD ff problem. In quantum algorithms, quantum gate operations 21 can be performed on qubits, which include Hadamard ( H ), qubit flip ( X ), phase flip ( Z ) operations. The quantum state of a single qubit can be represented as |ϕ� = sinθ |0� + cosθ e ia |1� , where |0� and |1� are the counterparts of 0 and 1 in the classical computation. A In the quantum algorithm, signing and verification processes are necessary to ensure a transaction. Here, we use the quantum one-way function based on the QSCD ff problem to finish the signing process.
A brief introduction to the QSCD ff question. We define N * = { n ∈ N , n is even and n /2 is odd}. For each n ∈ N * , S n is used to represent a symmetric group of degree n . Then we use κ n = { π ∈ S n : π 2 =id and ∀i ∈ {1, 2, · · · , n} [ π(i) = i ], where id represents all the identity permutations. Each π can be represented as an odd permutation that is the product of n /2 disjoint transposition 22 .
Then we have |κ n | = n! √ 2 n and the following definition: For each π ∈ κ n , there are quantum states ρ + π (n) and ρ − π (n): For a symmetric group of degree n , each group element can be represented as an arrangement with n elements, such as a group element (1, 2, 3) in S 3 , which can be represented as quantum states: |1 �|10 �|0 �.
The QSCD ff problem is to distinguish the following two quantum states for each n ∈ N * :ρ + π (n) ⊗P(n) , ρ − π (n) ⊗P(n) , where the P(n) represents a polynomial. Ref. 22 has proven that if π ∈ κ n is random and unknown there is no quantum algorithm that can solve the QSCD ff problem with non-negligible advantage. However, this problem can be quickly solved with the solution of π so that π would serve as a trapdoor in the quantum signatures.
A distinguishing algorithm for the QSCD ff problem.
Step 1 The quantum circuit used here is shown in Fig. 3a.  (|0 � − |1 �) = |− � and π represents the π operation π|σ � = |σ π � . We perform the quantum circuit from left to right. (b) The quantum circuit of the ρ + π (n) generation algorithm, where "if π " means "if we read |π � from this register" and "random σ " means "perform a random permutation σ on this register". (c) The quantum circuit of the conversion algorithm, where we perform the following "convert" operation: convert[ 1 www.nature.com/scientificreports/ (a device used to preserve one or more quantum states) of the quantum circuit, and |x � is input into the second register. The Hadamard operation ( H ) is performed on |0 � , to obtain: Step 2 The C π operation is performed on the second register controlled by the first register to obtain: Step 3 The H operations is performed on the first register.
Step 4 The Z measurement is performed on the first register, and ρ + π (n) generating algorithm. ρ + π (n) can be generated by the following steps. The quantum circuit is shown in Fig. 3b.
Step 1 We prepare the quantum state |0 �|id � , input |0 � into the first register, and input |id � into the second register. Then, we perform the H operation on the first register, and obtain |+ � and the |id �.
Step 2 The C π operation is performed on the second register and controlled by the first register.
Step 3 If the second register reads |π � , we perform a qubit flip operation ( X ) 21 on the first register.
Step 4 A uniformly random permutation σ is performed on the second register.
Step 5 The final state of the second register is output.
Signing transaction process. Below we use an example to show the detailed processes. Alice serves as a signer and Bob as a verifier. Jack acts as the private key generator (PKG), which is a trusted node in the blockchain system, and never exposes the signer's private key or imitates the signer to sign messages. Alice is ready to send a transaction message that she encodes as a bit string TA(m 1 , m 2 , · · · , m n ) , m i ∈ {0, 1} . The transaction can be signed by following steps 17 .
Key generation phase.
Step 1 Alice randomly selects an odd permutation π ∈ κ n as the private key, where n is the length of the bit string. Then, the unconditionally secure deterministic secure quantum communication (DSQC) protocol 23 is used to write the private key in the blockchain to secretly share it. In this case, Jack secretly holds (ID, π) pair, where ID is Alice's identity code.
Signing phase.
Step 2 Through the conversion algorithm, Alice encrypts t as a quantum sequence: , as shown in Fig. 4b.
Step 4 After receiving {TA, ID, ρ ′ �, PK ′ �} , Alice exposes the location of the decoy particles. Bob checks the particles with the corresponding base. If there is no error, Bob takes the next step, and otherwise the signature generation phase is restarted.
Step 5 Bob performs an eavesdropping check, drops all the decoy particles and finally holds {TA, ID, |ρ �, |PK �} as the quantum signature of Alice.
Step 4 Jack discards all decoy particles and recovers ρ ′′ � PK ′′ � to |ρ �|PK m �. (a) Alice repeats the ρ + π (n) generation algorithm n times with her private key to obtain the public key, where the H, "if π " and "random σ " operations are the same as the operations in Fig. 3. (b) Alice uses this quantum circuit to obtain encrypted sequence |ρ � , where we perform a "C-convert" operation: if |t i � = 1 , we perform the "convert" operation shown in Fig. 3c; if |t i � = 0 , we do not perform any operation. (c) The red balls represent decoy particles, the white balls represent encrypted sequence |ρ � , and the yellow balls represent public key |PK � . Alice inserts decoy particles randomly into |ρ �|PK � and obtains the sequence |ρ ′ �|PK ′ � to check for eavesdropping. (d) Bob uses this quantum circuit to obtain |PK m � , where every "C-convert" operation is the same as the "C-convert" operation in (b). For every ρ i π,m , if |0 � is read from the first register, then m i = 0 ; if |1 � is read from the first register, then m i = 1 . (c) Jack uses this quantum circuit to obtain a bit string t ′ . For every ρ i , if |0 � is read from the first register, then t i = 0 ; if |1 � is read from the first register, then t i = 1. www.nature.com/scientificreports/ Step 5 Jack recovers the private key π according to the identity code ID , and obtains the bit string m by dis- , as shown in Fig. 5b. Then, permutation π is performed on m , and t = π(m) is obtained.
Step 6 Jack distinguishes ρ i , and obtains the bit string t ′ , where , as shown in Fig. 5 (c).
If t i = t ′ , Jack claims validation and Bob accepts the signature.
Package the transaction into blockchain. In actual applications, the witness codes elected under DPoSB should be considered trusted signature verifiers. After more than 2/3 of the witness nodes accept the signature, the generated transaction information TA is valid and packed into the block generated by the current witness node, as shown in Fig. 6. However, when the verifying phase is completed, if less than 2/3 of the witness nodes accept the signature, TA is discarded by the current witness node.

Security analysis of the blockchain
Security model. Before reviewing the security of our blockchain, we would explain two security models used in information theory and cryptography 24 .
Semi-honest adversary model Suppose there are some semi-honest adversaries in a system and they follow a protocol correctly but may keep some necessary information to infer additional information later.
Malicious adversary model Suppose there are some malicious adversaries in a system and they may not only keep necessary information to infer additional information, but also attempt to perform breaking-protocol malicious behaviours to get additional information.
In the block generation process, a semi-honest adversary can only keep public information of the block header and block body. Then he cannot infer any useful additional information, because there are no secrets in the public information. In the signing process, a semi-honest adversary can attempt to infer the private key of a signer (the only secret), which however cannot work as shown in "Security of private keys" Section. Therefore our blockchain can keep security in the semi-honest adversary model.
We will demonstrate the security in the malicious adversary model in the next three sections. Generally, when an algorithm or a protocol can keep security in the malicious adversary model it is safer.

Security of the generation of blocks.
Consensus algorithms are used in the generation of blocks, and different consensus algorithms have distinct security levels. There are three main breaking-protocol attacks in this process, which belong to the malicious adversary model: 1. Double-spending attacks 1 . 2. Attacks that crack the hash value in a short time 14 . 3. Nodes that disturb the generation of blocks on purpose 13 . Then we will explain how our blockchain has robustness in the block generation process to these attacks in the malicious adversary model.
Attacker nodes can forge another blockchain secretly to forge information in blocks, which is defined as double-spending attacks. The success rate of this attack is higher when the computing force is larger. The success rate becomes 100% when the computing force of one node is larger than half of the total computing force of the blockchain system. However, this attack can be defended against in our blockchain algorithm because it is based on the computing force that is not needed in our algorithm.
An attack that cracks the hash value in a short time is a special attack based on a quantum computer. The quantum computer can use quadratic acceleration to crack the hash value through the Grover algorithm 25 , which makes nodes that have quantum computers dominate the blockchain systems. However, this attack is still based on computing force, so it can be defended in our blockchain algorithm.
As shown in "Blocks created by DPoSB" Section, in blockchain systems, some nodes may intentionally disturb the generation of blocks. In the DPoSB algorithm, malicious behaviours can be recorded by blockchain systems, and these records have impacts on the nodes' scores during the elections. Because the chance that a Figure 6. Transactions verified by 2/3 of witnesses can be packaged into a blockchain by the present witness, where the data structure of the blocks is the same as the data structure in Fig. 1, and TA x is a valid transaction that needs to be packaged. www.nature.com/scientificreports/ node is elected as a witness is smaller when it has more malicious behaviours, our blockchain algorithm can also defend against this attack.
Quantum information-theoretical security. In quantum asymmetric encryption, an encryption has quantum information-theoretical security if the quantum cyphertexts have computational indistinguishability 26 . We can claim that two quantum ensembles ρ 1 and ρ 2 are computationally indistinguishable, if for every probabilistic polynomial algorithm A , every positive polynomial P(.) and sufficiently large positive integer n the following inequation can be satisfied 26 : where P r (.) represents the probability. In our blockchain algorithm, the cyphertexts are ρ + π (n) and ρ − π (n) . Then we define that ρ 1 = ρ + π (n) ⊗P(n) , ρ 2 = ρ − π (n) ⊗P(n) and need to prove: Assume that we have a probabilistic polynomial algorithm A l , which makes: It means we have an efficient algorithm to distinguish signature cyphertexts ρ + π (n) from ρ − π (n) efficiently, corresponding to solving the QSCD ff problem. However, according to the hardness of the QSCD ff problem as proved in ref. 22 , the problem cannot be solved in polynomial time. Thus, it can be claimed that our blockchain has quantum information-theoretical security.
Security of the signing process. The malicious attacks which can be used in this process are eavesdropping, forging, repudiation and interception. Then we will explain how our blockchain can have robustness in the signing process to these attacks in the malicious adversary model.
Security of private keys. The security of private keys should be assured in two ways.
First, it has been proven that no quantum algorithm can crack the private keys of signers in polynomial time when there is no private key π 22 because one cannot distinguish signature cyphertexts ρ + π (n) from ρ − π (n) efficiently, as discussed in "Quantum information-theoretical security" Section.
Second, because private keys are selected from κ n and |κ n | = n! √ 2 n , the attacker only has a chance of √ 2 n n! to obtain the private keys (note that the divergence of n! is far stronger than √ 2 n ). In this case, the success rate of brute attacks is sufficiently small, which means that the success rate of signatures randomly generated by attackers is negligible.
Security against eavesdropping. As mentioned above, we can use the BB84 13 protocol to defend against eavesdropping. Because of the particularity of quantum states, eavesdropping can result in the collapses of quantum states and destroy the decoy states. By the second checkout process in BB84, the verifier could determine if there is any eavesdropping through the measurement of decoy states. In addition, eavesdropping by cloning signatures is not possible because of the quantum no-cloning theorem 21 .
Security against forging. There are two forging attack approaches. The first is forging signatures by using the transaction information of signers, and the second is forging the transaction information of signers. In the first approach, a signer generates transaction information TA and public key |PK � and then uses the private key to generate signature |ρ 1 � . An attacker wants to forge a signature with TA and the signer's private key, which makes |ρ 1 � � = |ρ 2 � . According to the signature algorithm mentioned above in section "Transaction signing and verification process", because of the uniqueness of the output of the ρ + π (n) generating algorithm, we have |ρ 1 � = |ρ 2 � , and thus, the signatures cannot be forged.
In the second approach, a signer generates transaction information TA1 and public key |PK � . An attacker wants to forge the signer's transaction information by turning it into TA2 = TA1 to make the signature of TA2 pass the verification process. According to the security of the private keys mentioned in section "Security of private keys", attackers have no way to generate a valid signature when they have no signers' private keys. Therefore, transaction information cannot be forged. In Conclusion, the forging methods mentioned above cannot be performed.
Security against repudiation. Repudiation is that attackers repudiate signatures to make signers fail in the signing process.
According to the signature algorithm mentioned above in section "Transaction signing and verification process", an attacker has no access to verify the signatures when they are not a witness; hence, an attacker cannot repudiate signatures. When an attacker is a witness, Jack can automatically pass through the signature if verification succeeds. In this way, an attacker still cannot repudiate the signatures because Jack is a trusted node and determines whether a signature can pass through the verification process.
. www.nature.com/scientificreports/ Security against interception. Interception is that attackers forge information through intercepting information. According to the signature algorithm mentioned in section "Transaction signing and verification process", messages, including TA, ID, ρ ′ �, PK ′ �, ρ ′′ �, PK ′′ � and the location information of decoy particles, can be intercepted by an attacker.
In the signing phase,TA, ID, ρ ′ �, PK ′ � is first intercepted. Then, to avoid the suspects of the signer, the attacker has to forge a new message,TA1, ID, |ρ 1 �, PK ′ � , to pass the verification process, which is a man-inthe-middle attack. According to the analysis mentioned above in section "Security against forging", even if the attacker passes through the decoy particle check process, the forging messages still cannot pass through the verification process because the attacker has no signer's private key.
In the verification phase, the attacker first intercepts TA, ID, ρ ′′ �, PK ′′ � . Then, to avoid the suspicion of the signer, the attacker has to forge a new message TA2, ID, |ρ 2 �, PK ′′ � to pass through the verification process, which is a man-in-the-middle attack too. In this way, the reason for a forging failure is the same as that for a signing phase failure.
Security issues from actual applications. In actual applications, there are several other security problems for businesses, organizations and operations. According to recent research progresses 27−30 , some kinds of techniques, such as Process-Data-Infrastructure (PDI) model 27 , can be incorporated into blockchain systems to figure out these problems and secure blockchain applications.
According to the PDI model 27 , system security issues can be classified to three levels: process level, data level and infrastructure level. The blockchain security in the process level includes operation standards, smart contracts, implementation security and fraud detection. The data level is composed of consensus algorithms, encryption, authentication, key management and access control while the infrastructure level includes supernode server, terminal devices and network. In the above sections we have discussed the blockchain security issues in the data level, and our blockchain can be combined with the modern blockchain frame (such as the PDI model) to enhance the security of the blockchain system. In blockchain-secured smart manufacturing 28 , a specific PDI model can be realized like the following architecture: in the infrastructure level, a blockchain platform (such as Ethereum, Hyperledger, and EOS) is selected to manage terminals and networks. The platform should provide distributed data structure, interaction mechanisms, and computing paradigms. Then in the data level, our blockchain algorithm can be used to generate blocks (by consensus algorithm) and sign the transactions (by quantum digital signature) safely. More complex computations are performed safely with privacy computing (such as secured multi-party computation 24 , federated learning 31 and trusted execution environment 32 ), which makes blockchain compute functions on private data with them unexposed. Then a computer language supported by the blockchain platform is used to write smart contracts in the process level. Programmable manufacturing devices can be deployed in necessary places, and relevant data are collected through internet of things (IoT) 33 , which are transmitted to blockchain for next processing.

Comparison with other quantum blockchain signature methods
In actual applications of blockchain technology, security is of the most importance; thus, we would use the safest signature algorithm as much as possible. Then, we will demonstrate that the signature algorithm in our blockchain algorithm is safer than other quantum-resistant signature algorithms. We assume that the decoherences of quantum circuits with outside environments can be ignored.
Step 1 The signer selects a random quantum state from the four quantum states and distributes the nonorthogonal sets containing this quantum state according to the corresponding bit in the code. For example, if a 1 = 1 and the signer selects |0 � , we distribute the set {|−�, |0�} to the first quantum state; if a 1 = 0 and the signer selects |0 � , we distribute the set {|0�, |+�} to the first quantum state. This process is repeated n times; then, the signer sends the quantum states Q = (Q 1 Q 2 ...Q n ), Q i ∈ {|0�, |1�, |+�, |−�, } and single bit information m to the verifier and the authenticator by quantum channels.
Step 2 The verifier and the authenticator choose an X or Z basis randomly for every quantum state Q i and then take the measurements of these quantum states {Q i }.
Step 3 The signer sends sets to the verifier and the authenticator by traditional channels.
Step 4 The verifier and the authenticator compare every result of quantum state Q i with their sets. If one measurement result is orthogonal to one quantum state in the set, the conclusive bit a i can be obtained. For example, if we receive set {|0�, |+�} and the measurement result is |−� , we can know that the signer sends 0; however, if the measurement result is not orthogonal to any quantum state in the set, the code the signer sent is inconclusive.
Step 5 The signer sends a bit string a to the verifier and authenticator. After receiving the bit string a , the verifier and the authenticator compare it with their conclusive bit string and compute the error rates E(a ′ ) and E(a ′′ ) , respectively (we take inconclusive bits as right bits). If both E(a ′ ) and E(a ′′ ) are larger than threshold µ , the signature fails; otherwise the signature can succeed.
It can be demonstrated that this signature algorithm cannot defend against interception. An attacker can perform the next procedures to forge a signer's signature. www.nature.com/scientificreports/ Step 1 The signer generates single bit information m , bit string a and quantum state Q and then sends them to the verifier and the authenticator.
Step 2 The attacker intercepts the messages {m, a, Q} ; generates single bit information m ′ , bit string a ′ and quantum state Q ′ ; and then sends {m ′ , a ′ , Q ′ } to the verifier and the authenticator.
Step 3 The signer sends sets Q1 of Q to the verifier and the authenticator.
Step 4 The attacker incepts messages Q1 and sends sets Q2 of Q ′ to the verifier and the authenticator.
Step 5 The verifier and the authenticator perform step 5 in the signature algorithm.
Step 6 Now, the attacker forges a perfect signature of the signer because it is simple to generate {m ′ , a ′ , Q ′ } and Q2 , so the verifier and the authenticator can pass the signature forged by the attacker with overwhelming probability. A forging attack can work in this way.
As mentioned in section "Security against interception", we have demonstrated that the signature algorithm in our blockchain algorithm can resist interception and thus is safer than the algorithm in this section.
Comparison with a signature algorithm based on quantum entanglement. Suppose there are three characters that take part in this algorithm 16 : the signer, the verifier and a trusted node blockchain. They perform the next procedures to complete this signature algorithm.
Step 1 The blockchain generates sufficient Bell states: Step 2 The blockchain randomly selects a sufficiently long substring A 1 from (A 1 1 , A 1 2 , ..., A 1 n ) and sends it to the signer as his private key; the blockchain randomly selects a sufficiently long substring A 2 from (A 2 1 , A 2 2 , ..., A 2 n ) and sends it to the verifier as the signer's private key; the blockchain randomly selects a sufficiently long substring B 1 from (B 1 1 , B 1 2 , ..., B 1 n ) and sends it to the verifier as the private key; the blockchain randomly selects a sufficiently long substring B 2 from (B 2 1 , B 2 2 , ..., B 2 n ) and sends it to the signer as the verifier's private key.
Step 4 The signer performs controlled-NOT(CNOT) on the first x qubits of B 2 , the first y qubits of A 1 , quantum coin m and hash sequence h: where m i = 1 − m i andh i = 1 − h i . Then, the signer obtains quantum coin m ′ and hash sequence h ′ and sends m ′ and h ′ to the verifier.
Step 5 The verifier performs CNOT on the first x qubits of B 1 , the first y qubits of A 2 , quantum coin m and hash sequence h ′ : Then, the verifier obtains quantum coin m ′′ and hash sequence h ′′ , computes hash(m ′′ ) and judges if it is equal to h ′′ . If hash(m ′′ ) = h ′′ , the signature is accepted; otherwise, the signature is rejected.
It can also be demonstrated that this signature algorithm cannot defend against interception. An attacker can perform the next procedures to forge a signer's signature.
Step 1 As shown in the signature algorithm mentioned above, the blockchain generates substrings A 1 , A 2 , B 1 , and B 2 and sends A 1 and B 2 to the signer and A 2 and B 1 to the verifier.
Step 2 The attacker intercepts A 2 and B 1 through a man-in-the-middle attack, imitates the blockchain to generate substrings C 1 , C 2 , D 1 , and D 2 , retains substrings C 1 and D 2 , and then sends substrings C 2 and D 1 to the verifier.
Step 3 In this moment, the attacker's substrings entangle the signer's and the verifier's at the same time, so the attacker can forge any transaction messages and the signatures of the signer and the verifier.

Conclusion
We propose a quantum blockchain algorithm that generates blocks by DPoSB and signs the transaction information with a quantum one-way function based on the QSCD ff problem. By the stake vote and punishing the malicious behaviours of DPoSB and asymmetric quantum encryption, the fairness, efficiency and security of the blockchain system can be improved. Security in the semi-honest adversary model and the malicious adversary model can be realized in our blockchain based on quantum information-theoretical security. Furthermore, we demonstrate the security of our blockchain algorithm compared with other quantum blockchain algorithms. Our quantum blockchains provide a safe platform that could decrease the costs of various operations and transaction activities. We should mention that the trusted node used in our blockchain has a larger weight in the network www.nature.com/scientificreports/ and therefore the necessity of the trusted node may weaken decentralization. Quantum signatures which do not require the trusted node could be developed in future researches to solve this problem. Moreover, quantum blockchains could be based on quantum privacy computing, which would further enhance the security of actual blockchain applications. In the near future, quantum blockchains will play an important role in social and financial areas that have increasing demands for transaction securities.